Hacking May Prompt Heightened US Election Security

Uploaded on 2016-08-12 in NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW

US officials are weighing whether to designate elections as national critical infrastructure after recent hacking attacks on political groups, a move that would open up federal assistance to election officers around the country, Homeland Security Secretary Jeh Johnson said.

“We should carefully consider whether our election system, our election process, is critical infrastructure," Johnson told reporters recently at a breakfast sponsored by the Christian Science Monitor. "There’s a vital national interest in our election process."

The debate comes after hackers infiltrated the computer networks of the Democratic National Committee and the Democratic Congressional Campaign Committee in what cybersecurity experts call a broad operation by Russian operatives to infiltrate US political organizations. Hillary Clinton’s campaign said hackers also breached one of its data programs, adding that cybersecurity efforts found “no evidence” that internal systems were compromised.

The attacks, which the FBI is investigating, have spurred speculation that Russian President Vladimir Putin’s government is trying to meddle in and influence US elections, an assertion that officials in Moscow have repeatedly denied.

The breaches also revive a lingering debate over whether electronic voting systems, which have replaced paper ballots in many jurisdictions, could be hacked to manipulate the results. Republican presidential nominee Donald Trump said that he’s “afraid the election’s gonna be rigged,” although Republicans have focused mostly on potential fraud by ineligible voters.

Real Problem

Asked about the reports of Russia’s possible involvement in hacking, President Barack Obama said, “If in fact Russia engaged in this activity, it’s just one on a long list of issues that me and Mr. Putin talk about and that I’ve got a real problem with.”

Johnson said the US wasn’t yet prepared to attribute the attacks to any particular nation or group. Designating elections as critical infrastructure would put them on par with other vital national assets, such as the power grid and pipelines.

Presidential Policy Directive

White House Press Secretary Josh Earnest told reporters that members of the president’s national security team are discussing the proposal. "It’s important for the federal government to offer support to state and local governments" in their efforts, he said.

The Department of Homeland Security has the authority to designate what qualifies as critical infrastructure under Presidential Policy Directive 21 and Executive Order 13636, said Bruce McConnell, former DHS deputy undersecretary for cybersecurity. In reality, though, Johnson is vetting the proposal through the interagency process and floating it publicly to ensure it has support before making a final decision, he said.

"It’s not that they would take unilateral action but legally they have the authority to do this," said McConnell, who is now global vice president of the nonprofit EastWest Institute, based in New York.

November Election

It isn’t clear what difference such a designation would make on the upcoming November elections, as any new funding for security would have to be approved by Congress.

For this year’s elections, McConnell has recommended that DHS issue a security alert warning election officials of risks to their systems, advising them of the need to have an audit trail and paper backups, and calling on companies supplying voting machines and other equipment to go through independent audits with published results.

Designating voting systems as critical infrastructure also must be accompanied by specific ways to help state and local election official improve the security of their systems, such as through grant funding, said Larry Clinton, president of the Internet Security Alliance, a cybersecurity trade association.

"I just want to make sure nobody thinks there’s a magic wand that comes along with designating it as critical infrastructure," Clinton of the alliance said in an interview. "There has to be some actual money at the end of the pipeline."

The government could try to mandate security improvements as a condition of receiving funding, Clinton said. A better approach, he said, would be to offer incentives, as the government does to encourage states to improve the safety of highways.

Invest the Resources

"The point is, do you have an actual plan as to how to correct the problems and are you willing to invest the resources?" Clinton said. "We certainly hope this would not be more public relations than actual security."

In the short term, Johnson said he is considering working with election officials across the country with regard to what kind of “best practices” they can adopt to enhance cybersecurity.

"This is something that we’re very focused on right now," Johnson said. "There’s no one federal election system. There are some 9,000 jurisdictions across this country that are involved in the election process."

Bloomberg

 

« Banks Look Up To The Cloud
Hackers Help FBI Fight Cybercrime »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

I-Tracing

I-Tracing

I-TRACING are experts in IT security, specialized in legal compliance of information systems, security of information systems, and the collection of digital evidence and traces.

Entersekt

Entersekt

Entersekt is an innovator in push-based authentication and app security.

FRSecure

FRSecure

FRSecure is a full-service information security management company that protects sensitive, confidential business information from unauthorized access, disclosure, distribution and destruction.

Moviri

Moviri

Moviri combines security technology engineering, intelligence expertise and our data science DNA to help companies manage digital risk end-to-end.

3i Infotech

3i Infotech

3i Infotech offers consulting & professional services to assess, design and build next gen IT infrastructure, and managed services to operate, optimize and continuously improve.

Prism Infosec

Prism Infosec

Prism Infosec is an award-winning independent cyber security consultancy, CREST STAR, NCSC CHECK member, CAA ASSURE audit provider and PCI Qualified Security Assessor.

Resolvo Systems

Resolvo Systems

Resolvo is provides comprehensive security assessment and testing services in Asia.

Cyber7

Cyber7

CYBER7 is a National Cyber Security Innovation community initiated by Israel National Cyber Directorate, Ministry of Economy and Israel Innovation Authority led by Tech7 – Venture Studio.

PCI Security Standards Council (PCI SSC)

PCI Security Standards Council (PCI SSC)

The PCI Security Standards Council is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments.

Kodem Security

Kodem Security

Our mission is to make AppSec simple. Meet the world’s first dynamic software composition analysis platform. Only Kodem uses runtime intelligence to determine application risk.

Pistachio

Pistachio

Pistachio is the new evolution of cybersecurity awareness training and attack simulations.

OxCyber

OxCyber

OxCyber's mission is to ignite and encourage cybersecurity and technology growth in the Thames Valley through meetings, webinars, in person events, workshops and mentorship programs.

Cyberagentur (Cyber Agency)

Cyberagentur (Cyber Agency)

Cyberagentur is the Federal Agency in Germany for innovation in cybersecurity. Our mission is to advance research and groundbreaking innovations in the field of cybersecurity and related technologies.

Ncontracts

Ncontracts

Our mission at Ncontracts is to continually improve our clients’ ability to manage risk and compliance.

Lupasafe

Lupasafe

Lupasafe is an all-in-one cybersecurity platform for MSPs and SMEs. See all your cyber risks: From training to phishing, darkweb scans, continuous tech monitoring, AI insights, reporting & compliance.

SeQure

SeQure

SeQure is a novel cybersecurity and data observability company that offers Fortune 100 and Governments a zero-trust service to continuously monitor large network environments.